Hi folks, This is a round-up of the latest news on the Bank Of India hack. As of 10:15pm est on Saturday September 1st 2007, the bank website is still disabled, with a note saying it's undergoing maintenance, and asking for patience. This is a good thing, because it means they're examining all their pages for intrusions, and with appropriate care they'll also correct the vulnerabilities that allowed the site to be hacked in the first place. This is an important step, because we see entirely too many sites that get hacked, then are cleaned, and then they get hacked again because the holes have not been plugged. Now that the dust has cleared, it is apparent that the attacking servers fired at least two different exploit sets. One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as yet unidentified exploit package, along the lines of mpack/icepack/webattacker. It contained a vml exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to mpack/icepack except that it is missing an ANI (MS07-017), and it contains instead the VML. The real difference, however, is that it had machine generated variable and function names. In other words, the server side script was generating the scripts in order to try to defeat scanners. For a variety of reasons that I won't go into here, this fails to defeat the scanners, especially LinkScanner, but it's an interesting step. Btw, we now have an edited version of the video. Hires .mov can be found here and a youtube vesion here . Cheers Roger

"The guys at Sunbelt actually discovered it, and you can get some more info in their blogs for sure. The time frame was quite tight. We filmed the attack on August 30th, so it was dirty then, and we know it was clean on the 29th, because that's when the google cache copy was made, and it was clean.

It seems like it was a day or less, but hard to tell how many hours because of time zones.

I agree with Roger that too many sites do not perform adequate do diligence when correcting the flaws after a sucessful site attack. Most cases are due to the admins trying to get the site backup and running. Strategies which involve a page/by/page analysis is prudent. Where can a full discussion of the attack be found. I would like to see the time frame of the attacks.